HT4790: OS X: About FileVault 2

Learn about OS X: About FileVault 2
MeMeMeMeMe

Q: Diskutil eject does not 're-lock' Filevault encrypted volumes on external drive

Man documentation for diskutil...

 

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/diskutil.8

 

... states that the diskutil eject command can be used to "re-lock" a corestorage volume that has been previously unlocked:

 

"To 're-lock' the volume, make it offline again by ejecting it, e.g. with diskutil eject."

 

I have an external hard drive with several Filevault 2 encrypted partitions (OSX 10.8.3) .  Once a volume is unlocked using diskutil corestorage unlockVolume, when the volume is subsequently ejected using diskutil eject, it  shows the disk as unlocked after ejecting.  After ejecting, I can look with diskutil corestorage list and find:

 

|               Encryption status:      Unlocked

 

Indeed, after ejecting, the disk can be re-mounted and the files accessed without re-entering the Filevault password for the volume.

 

The only means I have for restoring the disk to the locked status is to restart the machine.

 

What is the correct way to "re-lock" a corestorage volume?

 

Below is the output for the drive using diskutil corestorage list after unlocking with diskutil corestorage unlockVolume and then ejecting with diskutil eject.

 

 

+-- Logical Volume Group ####

|   =========================================================

|   Name:        ####

|   Status:       Online

|   Size:         498058510336 B (498.1 GB)

|   Free Space:   0 B (0 B)

|   |

|   +-< Physical Volume ####

|   |   ----------------------------------------------------

|   |   Index:    0

|   |   Disk:     disk1s4

|   |   Status:   Online

|   |   Size:     498058510336 B (498.1 GB)

|   |

|   +-> Logical Volume Family ####

|       ----------------------------------------------------------

|       Encryption Status:       Unlocked

|       Encryption Type:         AES-XTS

|       Conversion Status:       Complete

|       Conversion Direction:    -none-

|       Has Encrypted Extents:   Yes

|       Fully Secure:            Yes

|       Passphrase Required:     Yes

|       |

|       +-> Logical Volume ####

|           ---------------------------------------------------

|           Disk:               disk2

|           Status:             Online

|           Size (Total):       497739735040 B (497.7 GB)

|           Size (Converted):   -none-

|           Revertible:         No

|           LV Name:            ####

|           Volume Name:        ####

|           Content Hint:       Apple_HFS

Mac mini, OS X Mountain Lion (10.8.3)

Posted on Apr 2, 2013 1:41 AM

Close

Q: Diskutil eject does not 're-lock' Filevault encrypted volumes on external drive

  • All replies
  • Helpful answers

Previous Page 2
  • by MeMeMeMeMe,

    MeMeMeMeMe MeMeMeMeMe Nov 8, 2013 12:56 PM in response to fred724
    Level 1 (0 points)
    Nov 8, 2013 12:56 PM in response to fred724

    Are you sure about that?  That is not what is being reported by the other people here on this forum.

     

    I wonder what the difference is between what you are doing and what other people are experiencing.  Do your disks have more than one partition on them?  I don't think this should make a difference, but I will check.

     

    It seems implausible that Apple has not had the capabiity to fix this problem over such a long time period.  I have to wonder if the NSA is preventing them from doing so.  At the very least, they could update their diskutil corestorage man pages (e.g. man diskutil) to reflect what the actual behavior is, rather than having left it for over a year now giving people the impression that ejecting an encrypted disk provides security, when it doesn't.

     

     

     

     

     

     

     



  • by MeMeMeMeMe,

    MeMeMeMeMe MeMeMeMeMe Nov 8, 2013 1:24 PM in response to fred724
    Level 1 (0 points)
    Nov 8, 2013 1:24 PM in response to fred724

    fred724 wrote:

     

    The best work around for this issue is to format the external drive using HFS+ journaled encrypted from the diskutil options.  Set your password and be sure to not save to keychain.  My external encrypted drives always ask for the pw again after I unmount and remount them (in the same session). 

     

    ed724

     

    Well,

     

    I have 5 encrypted and two unencrypted partitions on my external drive, and all were formatted originally using diskutil and formatting as HFS+ journaled encrypted.  Without any of the passwords entereded in keychain, the encrypted partitions can be ejected and remounted from diskutil at will, over and over, without re-entering the password after it is entered only once (again, without entering the password in keychain).  Once mounted, only way to "eject" any of the encrypted partitions  so that they will require a password to re-mount without rebooting, is to unplug the external drive holding the partitions.  (This is despite what man diskutil says.)  Which does me no good if I am not physically next to the computer.


    I will try a different drive with only a single partition to see if what you say is true, but what you are saying doesn't seem to jibe with what others are saying

     

    Are you sure you are not physically unplugging the external drive before remounting it?  If so, that is not what anyone here is talking about.

  • by AlienCamel.com,

    AlienCamel.com AlienCamel.com Dec 18, 2013 3:18 AM in response to MeMeMeMeMe
    Level 2 (448 points)
    Mac OS X
    Dec 18, 2013 3:18 AM in response to MeMeMeMeMe

    Agree. While there is a

    diskutil coreStorage unlockVolume command

    there is no lock or re-lock command that I can find.

  • by unoriginalnick,

    unoriginalnick unoriginalnick Jan 25, 2014 11:16 PM in response to MeMeMeMeMe
    Level 1 (25 points)
    Jan 25, 2014 11:16 PM in response to MeMeMeMeMe

    I've found a temporary workaround to lock the volume without restarting or disconnecting from USB:

     

    $sudo kextunload -pb com.apple.driver.CoreStorage

     

    Unmount first to (hopefully) prevent file system corruption, then the above will kill all CoreStorage processes and relock the volume.  I tested it a couple of times and it seems to work.  I had to re-load the kext to unlock the volume again, but I got it to work. 

     

    To reload the kext:

     

    $sudo kextload -b com.apple.driver.CoreStorage

     

    Hopefully Apple will wake up and fix this ridiculous security hole soon.

  • by MeMeMeMeMe,

    MeMeMeMeMe MeMeMeMeMe Jan 28, 2014 1:29 AM in response to AlienCamel.com
    Level 1 (0 points)
    Jan 28, 2014 1:29 AM in response to AlienCamel.com

    AlienCamel.com wrote:

     

    Agree. While there is a

    diskutil coreStorage unlockVolume command

    there is no lock or re-lock command that I can find.

     

    "man diskutil" under corestorage states "To 're-lock' the volume, make it offline again by ejecting it, e.g. with diskutil eject." 

     

    This does not work.  If they're not going to fix it, they should update their man page.

  • by himerus,

    himerus himerus Apr 30, 2014 2:10 PM in response to MeMeMeMeMe
    Level 1 (0 points)
    Apr 30, 2014 2:10 PM in response to MeMeMeMeMe

    Yeah, just discovered this as I was setting up a new USB drive to be encrypted and password protected.

     

    It's a low profile USB that I'd plan to leave plugged in to the USB port almost always. However, I'd like to "eject" the drive when I'm done working with it, and any attempt to mount the drive through Disk Utility should then prompt me for the password again.

     

    The only options being rebooting or unplugging the USB is NOT an option!! Seems like this one has been around for quite some time, and should be fairly simple to fix.

     

    PLEASE FIX!!

  • by Maltz,

    Maltz Maltz Oct 31, 2014 11:50 AM in response to MeMeMeMeMe
    Level 1 (4 points)
    Oct 31, 2014 11:50 AM in response to MeMeMeMeMe

    I'm happy to report that this appears to have (FINALLY!!) been fixed in Yosemite.  I can either drag the icon to the trash or use "diskutil eject" with either the mount path or the UUID and it will eject AND LOCK the volume.  The option to Mount in Disk Utility is changed to Unlock and I have to provide the passphrase to unlock the volume.

     

    One note, though...  The manpage says that unlocking a volume will both attach and mount it.  It seems that it is only unlocked, and you have to mount it manually.  No big deal, just click the Mount button in Disk Utility or run "diskutil mount" after unlocking, but it seems they still can't get the manpage and the utility to agree 100%.  lol

  • by wqdw,

    wqdw wqdw Jun 24, 2015 1:15 AM in response to MeMeMeMeMe
    Level 1 (0 points)
    Jun 24, 2015 1:15 AM in response to MeMeMeMeMe

    I'm having a similar but different issue with a drive connected by USB caddy. I eject by dragging into trash or finder window, physically remove the drive, try it in a new mac which asks for a password but then when put back into the caddy I can get straight back in no password needed...

    I'm wondering if my encryption is screwed or if the mac is storing passwords even though not asked to in keychain and even with the caddy being turned off.

  • by erwanfromlevallois,

    erwanfromlevallois erwanfromlevallois Sep 16, 2016 3:37 AM in response to MeMeMeMeMe
    Level 1 (4 points)
    Sep 16, 2016 3:37 AM in response to MeMeMeMeMe

    Actually using "diskutil eject /Volumes/<your volume>" rather than diskutil unmount will do the trick. It will lock the drive again.

  • by AlienCamel.com,

    AlienCamel.com AlienCamel.com Sep 16, 2016 5:53 AM in response to Maltz
    Level 2 (448 points)
    Mac OS X
    Sep 16, 2016 5:53 AM in response to Maltz

    "I'm happy to report that this appears to have (FINALLY!!) been fixed in Yosemite.  I can either drag the icon to the trash or use "diskutil eject" with either the mount path or the UUID and it will eject AND LOCK the volume.  The option to Mount in Disk Utility is changed to Unlock and I have to provide the passphrase to unlock the volume."

     

    It's not fixed for me in 10.11.6

    I can just remount an ejected volume without a password in keychain

  • by Eric Root,

    Eric Root Eric Root Sep 16, 2016 8:00 AM in response to AlienCamel.com
    Level 9 (72,634 points)
    iTunes
    Sep 16, 2016 8:00 AM in response to AlienCamel.com

    You might want to consider starting a new discussion. Since this one is a couple of years old, less people are likely to look at it. A new post would be much more visible. You can link to this one. Post in the El Capitan community.

Previous Page 2